The FTC has issued guidance for data protection practices and policies in the mobile ecosystem, particularly taking aim at the app publishers who have the direct connection with users and have the ability to give notice and obtain consent to practices such as behavioral tracking and ad targeting. See Marketing Your App: Get it Right from the Start. The guidance, which does not have the force of law but likely reflects what the FTC believes is required by Section 5 of the FTC Act, provides that mobile services providers:
- Adopt "Privacy by Design" to (i) incorporate privacy protections into product design, including having default settings consistent with consumer expectations; (ii) "for any collection or sharing of data that is not apparent, get users' express agreement"; (iii) limit data collected to what is necessary; (iv) secure the data; and (v) safely dispose of data when it is no longer needed.
- Clearly and conspicuously disclose all material information about data practices, which the FTC explains must be more than disclosures buried in terms of service or privacy policies, but explained up front in simple terms. While details can be linked to, it warns against "vague hyperlinks".
- Offer choice through easy to find and use privacy settings and opt-outs.
- Get express, affirmative consent before collecting sensitive data such as geo-location, medical or financial data.
- Obtain verified parental consent before collecting personal information from children under 13.
- Be honest and transparent -- honor data and other promises and do not make deceptive claims.
The latest FTC warnings to the mobile industry follow announcements by California Attorney General that California privacy laws require mobile services operators, including app publishers, to post accurate privacy policies, and that the primary app marketplace gatekeepers had joined together to workout ways to better insure implementation of the law, which the AG had found to be largely ignored in the mobile app space (more). The FTC had earlier this year suggested the same standards articulated in its new guidance in a report calling on greater self regulation (more). The new guidance is a further push of industry in this direction. The mobile advertising industry has recently announced efforts toward self-regulation, while the FCC is considering imposing data privacy and security standards on the mobile industry, but lags behind efforts already in place broadly in the online industry (more).
Failure to follow the types of guidance set forth by the FTC has lead to hundreds of consumer privacy class actions against mobile device manufactures, operating system providers, application publishers, ad networks and exchanges and even individual advertisers over the last two years year.